[ppml] Bogons etc...
william at elan.net
william at elan.net
Wed Jan 21 16:29:04 EST 2004
On Wed, 21 Jan 2004 Michael.Dillon at radianz.com wrote:
> >Further, I think the place to do this is with DNS, much like many
> >of the spam black lists.
Its been done with dns, works fine (except cases when RIRs abroptly change
location of their data files and notify about it several days later).
If you're interested try bogons.dnsiplists.completewhois.com
(it'll report 127.0.0.2 for all unallocated ips)
> think we need to agree on the principle first, then
> sort out what will be published and only then decide on
> the mechanism for publishing.
RIRs are already publishing such information using "statistics files" for
that, see ftp://ftp.arin.net/pub/stats/
This data is ok for new space allocated by RIRs but have number of
serious mistakes for legacy spaces. I track it down on daily basis in
automated way as far as inaccuraces between RIR whois and RIR statistics
files, see http://www.completewhois.com/bogons/ipwhois_data_analysis.htm
I'll cleanup my code and release utility to convert statistics files
to bogon list in the next couple month as part of larger ip list
conversion utility that I'll release as gnu open source code.
> Today we use the horribly broken whois protocol and
> the much better (but somewhat obscure) BGP protocol
BGP protocol is locking necessary tools to be able to correctly use bogon
feed (Cymru approach is a hack and causes pains to setup). There is a draft
ready, see http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-00.txt
and we're just waiting for vendors to implement it. Once done you'll see
not only bogon feeds but other feeds as well, such as for spam filtering.
> the ubiquitous (but primitive) DNS protocol. The IETF has
> also done a lot of work on creating a scalable directory
> access protocol (LDAP) that is widely deployed in corporate
> networks but strangely ignored on the Internet.
Its not hard to publish such list in LDAP, the question is if it would
be used? There are no tools that change router config based on LDAP data,
and to my knowledge firewalls do not have such tools for LDAP feed either,
nor mail server software, etc.
> In any case, like you, I'd like to see a mechanism that
> is scriptable by all concerned. Whois has show that it
> can't do that consistently. We've seen text parsing problems
> on both the server end and the client end.
There is RPSL definition for whois datathat is next layer up above whois
protocol. RPSL is used for routing database (as published by ARIN for
example) and is easily parseable and there are tools to convert this to be
used for router configurations and firewall configurations. Publishing
information by RPSL is a good idea that ARIN should consider doing instead
of continuing to use its own non-standard WHOIS format (note: RIPE, APNIC,
LACNIC are all using RPSL for whois data).
As far as bogons, I've floated idea around to work on special filtering
definition for that (current ones can be used if its plain IANA-only
bogons as cymru is doing, but full list of unallocated blocks as RIRs
are publishing in statistics files is too large and requires some new
approach). There were not enough volunteers when I first mentioned in at
NANOG to work on it, but if people are interested I have mailing list
setup for just that purposes and I want to finish this approach as well.
I would not be against if RIRs started doing some kind of route database
publishing of bogon lists afterwards (considering that each RIR, except
LACNIC, already is maintaining routing database for its users).
> DNS, BGP and LDAP all potentially solve the parsing problems
> and all are scriptable. My personal opinion is that LDAP would
> be a better solution because it supports schemas which makes it
> darn near impossible to create a parsing problem.
> Anyone can set up a box with BIND or Zebra or OpenLDAP to receive
> a data feed and integrate it with their internal systems.
Please do it. And release such software as open source and have at least
two confirmed users (besides your own). After that come back here
or to me personally and I promise you LDAP bogon feed will be ready in
less then a week.
> If we stick to DNS and LDAP then it is easy to turn any
> Python/Perl/TCL/Ruby script into a DNS or LDAP client so there
> is even less infrastructure required.
Talking about writing software is easy, actually doing is not.
> But what do we publish? Who is responsible? What
> are the limits?
> That's where we need some policy work to be done.
ARIN never liked idea of policies that effect what it considers to be its
operations (most of my whois ideas never went through policy process).
william at elan.net
More information about the ARIN-PPML